Tuesday, April 17, 2007

Microsoft DNS Server Remote Code Advisory

Microsoft released their advisory on 12 Apr 07 and hackers reacted quickly with working exploits the very next day. By Apr 14th, working exploits were out in the wild for script kiddies and crackers to add to their Internet worms.

What you need to know

This exploit involves The Lookup_ZoneTreeNodeFromDottedName() which uses a vulnerable function Name_ConvertFileNameToCountName() to convert a string. This function allows back slashes despite some checking carried out during the process of writing to the buffer. This can be bypassed using multiple back slash characters, which results in a stack overflow.

Public Exploits

The publicly available exploits contain a port 4444 bind payload with intelligent dynamic RPC port detection, auto target search by using OS fingerprinting, /GS bypass technique with DEP Disabled and universal local/remote exploits.Metasploit released its exploit code on 15 Apr 07, which targets Windows 2000 and 2003 Server. Attackers, or pen testers could use any of their favorite payloads with the exploit but the downside is that it does not have dynamic port detection and /GS bypass. Longhorn is also vulnerable to this exploit.

Hardware DEP

Initial analysis suggests that systems having Hardware DEP enabled are not vulnerable to this exploit because of the hardware-based protection against stack overflows.

Ports

The Metasploit exploit attacks Port 135 or 593 although a custom port can be chosen. There is no auto detection of the port on which the RPC service is running so this has to be tested for manually. Port 53 is not vulnerable so no attack vectors will be found there. 445 is one of the most common ports that will be attacked as the public exploit has this port assigned as a default but this will only work with users with valid authentication credentials. The RPC interface of Windows DNS is bound to a port in the range 1024-5000 so it is a good idea to filter these with a firewall. Rinbot scanning for port 1025 DNS/RPC has also been detected. Monitor attacked ports through the CERTStation Dashboard.